Free Cyber Risk Analysis: Your Top Cyber Risks in 3 Clicks

Get Started

What are the CMMC Requirements?

The requirements for CMMC certification will depend upon the level of certification needed. Each level contributes to the requirements starting with the levels below it. Therefore, a Level 2 certification consists of every Level 1 requirement, while a Level 5 certification necessitates an organization to fulfill Levels 1-4. Throughout the five levels, the certification requirements consist of:

  • 43 capabilities covering 17 capability domains
  • Five procedures to determine process advancement
  • 171 practices to assess technical capability

Here is a short explanation of each certification level:

Level 1 indicates "Basic Cyber Hygiene"-- DoD service providers who prefer to pass an examination at this level should execute 17 controls of NIST 800-171 rev1.

Level 2 indicates "Intermediate Cyber Hygiene"-- Here, DoD specialists should execute yet another 48 controls of NIST 800-171 rev1 as well as seven new "Other" controls.

Level 3 indicates "Good Cyber Hygiene"-- To accomplish level 3 certification, the last 45 controls of NIST 800-171 Rev1 and also 13 new "Other" controls need to be carried out

Level 4 illustrates "Proactive" cybersecurity-- Along with the controls from levels 1 through 3, 11 additional controls of NIST 800-171 Rev2 plus 15 new "Other" controls should be carried out

Level 5 indicates "Advanced/ Progressive" cybersecurity-- To accomplish this maximum level, DoD specialists must carry out the last four controls in NIST 800-171 Rev2 together with 11 new "Other" controls. 

The requirements an organization requires to meet will rely on the level of certification. The requirements are divided into practices and procedures. To comply with each certification level, a service provider should achieve the requirements for all the rules and procedures related to the level throughout many functionalities.


Download the CMMC Overview